sudo/sudo-ldap.conf
Radovan Sroka 8469017bb7 RHEL 10.0 ERRATUM
- sudo-1.9.15-2.p5.el10: RHEL SAST Automation: address 4 High impact true positive(s)
Resolves: RHEL-44436
- sudo subpackage sudo-logsrvd should not be built
Resolves: RHEL-52864
2024-08-19 07:21:14 +02:00

87 lines
3.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## BINDDN DN
## The BINDDN parameter specifies the identity, in the form of a Dis
## tinguished Name (DN), to use when performing LDAP operations. If
## not specified, LDAP operations are performed with an anonymous
## identity. By default, most LDAP servers will allow anonymous
## access.
##
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
## BINDPW secret
## The BINDPW parameter specifies the password to use when performing
## LDAP operations. This is typically used in conjunction with the
## BINDDN parameter.
##
#bindpw secret
## SSL start_tls
## If the SSL parameter is set to start_tls, the LDAP server connec
## tion is initiated normally and TLS encryption is begun before the
## bind credentials are sent. This has the advantage of not requiring
## a dedicated port for encrypted communications. This parameter is
## only supported by LDAP servers that honor the start_tls extension,
## such as the OpenLDAP and Tivoli Directory servers.
##
#ssl start_tls
## TLS_CACERTFILE file name
## The path to a certificate authority bundle which contains the cer
## tificates for all the Certificate Authorities the client knows to
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
## use the same certificate database for CA and client certificates
## (see TLS_CERT).
##
#tls_cacertfile /path/to/CA.crt
## TLS_CHECKPEER on/true/yes/off/false/no
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi
## cated to be verified. If the server's TLS certificate cannot be
## verified (usually because it is signed by an unknown certificate
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
## is disabled, no check is made. Note that disabling the check cre
## ates an opportunity for man-in-the-middle attacks since the
## server's identity will not be authenticated. If possible, the CA's
## certificate should be installed locally so it can be verified.
## This option is not supported by the Tivoli Directory Server LDAP
## libraries.
#tls_checkpeer yes
##
## URI ldap[s]://[hostname[:port]] ...
## Specifies a whitespace-delimited list of one or more
## URIs describing the LDAP server(s) to connect to.
##
#uri ldap://ldapserver
##
## SUDOERS_BASE base
## The base DN to use when performing sudo LDAP queries.
## Multiple SUDOERS_BASE lines may be specified, in which
## case they are queried in the order specified.
##
#sudoers_base ou=SUDOers,dc=example,dc=com
##
## BIND_TIMELIMIT seconds
## The BIND_TIMELIMIT parameter specifies the amount of
## time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30
##
## TIMELIMIT seconds
## The TIMELIMIT parameter specifies the amount of time
## to wait for a response to an LDAP query.
##
#timelimit 30
##
## SUDOERS_DEBUG debug_level
## This sets the debug level for sudo LDAP queries. Debugging
## information is printed to the standard error. A value of 1
## results in a moderate amount of debugging information.
## A value of 2 shows the results of the matches themselves.
##
#sudoers_debug 1